子域名

BBOT

1.
bbot -t ghostwolflab.com -f subdomain-enum

2.
bbot -t ghostwolflab.com -f subdomain-enum -rf passive

3.
bbot -t ghostwolflab.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

Amass

# https://github.com/OWASP/Amass
1.
amass enum [-active] [-ip] -d ghostwolflab.com

2.
amass enum -d ghostwolflab.com | grep ghostwolflab.com 

Subfinder

# go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
subfinder -d ghostwolflab.com [-silent]

AssetFinder

# https://github.com/tomnomnom/assetfinder
assetfinder --subs-only <domain>

theHarvester

# https://github.com/laramies/theHarvester
theHarvester -d ghostwolflab.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"

第三方网站API

1.
curl https://sonar.omnisint.io/subdomains/ghostwolflab.com | jq -r ".[]"

2.
curl https://jldc.me/anubis/subdomains/ghostwolflab.com | jq -r ".[]"

3.
# Get Domains from rapiddns free API
rapiddns(){
 curl -s "https://rapiddns.io/subdomain/$1?full=1" \
  | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
  | sort -u
}
rapiddns ghostwolflab.com

3.
# Get Domains from crt free API
crt(){
 curl -s "https://crt.sh/?q=%25.$1" \
  | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
  | sort -u
}
crt ghostwolflab.com

4.
# Get subdomains from GAUs found URLs
gau --subs ghostwolflab.com | cut -d "/" -f 3 | sort -u

Shodan

shodan domain <domain>
shodan search "http.html:*.domain.com"

Censys

# https://github.com/christophetd/censys-subdomain-finder
python3 censys-subdomain-finder.py ghostwolflab.com

爬取网页文件

1.
# https://github.com/nsonaniya2010/SubDomainizer
python3 SubDomainizer.py -u https://ghostwolflab.com | grep ghostwolflab.com

2.
# https://github.com/Cillian-Collins/subscraper
python subscraper.py -u tesla.com | grep ghostwolflab.com | cut -d " " -f

3.
# https://github.com/projectdiscovery/httpx
cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt
cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt

4.
# https://github.com/jaeles-project/gospider
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt

5.
# https://github.com/tomnomnom/unfurl
cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com"

DNS解析

常见的子域名单词列表:

https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt

https://localdomain.pw/subdomain-bruteforce-list/all.txt.zip

https://github.com/pentester-io/commonspeak

https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

常用工具如下:

1.
# https://github.com/blechschmidt/massdns
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt

2.
# https://github.com/OJ/gobuster
gobuster dns -d mysite.com -t 50 -w subdomains.txt

3.
# https://github.com/projectdiscovery/shuffledns
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt

4.
# https://github.com/d3mondev/puredns
puredns bruteforce all.txt domain.com

5.
# https://github.com/blark/aiodnsbrute
aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com

排列

通过给定域名和指定子域名进行排列组合来获取到更多子域名。

1.
# https://github.com/ProjectAnte/dnsgen
cat subdomains.txt | dnsgen -

2.
# https://github.com/subfinder/goaltdns
goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt

3.
# https://github.com/Josue87/gotator
gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]

4.
# https://github.com/infosec-au/altdns
altdns -i subdomains.txt -w /tmp/words-permutations.txt -o /tmp/asd3

5.
# https://github.com/bp0lr/dmut
cat subdomains.txt | dmut -d /tmp/words-permutations.txt -w 100 \
    --dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt
    
6.
# https://github.com/projectdiscovery/alterx
echo ghostwolflab.com | alterx

7.
# https://github.com/cramppet/regulator
python3 main.py adobe.com adobe adobe.rules
make_brute_list.sh adobe.rules adobe.brute
puredns resolve adobe.brute --write adobe.valid

8.
# https://github.com/elceef/subzuf
echo www | subzuf ghostwolflab.com

虚拟主机

如果发现某个 IP 地址包含一个或多个属于子域的网页,可以尝试通过在OSINT 源中查找某个 IP 中的域或通过暴力破解该 IP 中的 VHost 域名来查找该 IP 中包含网页的其他子域。

使用开源情报工具HostHunter为例:

# https://github.com/SpiderLabs/HostHunter

$ python3.10 -m pip install -r requirements.txt
$ python3.10 hosthunter.py <targets.txt>
$ cat vhosts.csv

暴力破解:

1.
ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com"

2.
gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt

3.
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100

4.
# https://github.com/allyshka/vhostbrute
vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"

5.
# https://github.com/codingo/VHostScan
VHostScan -t example.com

CORS暴力破解

在Origin标头中设置了有效的域/子域时,页面仅返回标头Access-Control-Allow-Origin。在这种情况下,我们可以滥用此行为来发现新的子域。

ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body

整合小脚本

#!/bin/bash

# simple script to find subdomains from various online sources

if [ $# -ne 1 ]
then
	echo "usage: $0 <target>"
	exit 1
fi

TARGET=$1


printf "\n [>] Target set to : ${TARGET} [<]\n"

printf "\n[+] Subdomain discovery started, this might take some time depending on your net speed [+]\n"

printf "\n [*] Searching rapiddns.io [*]\n"

(curl -s "https://rapiddns.io/subdomain/$TARGET?full=1#result" 2>/dev/null | grep "<td><a" 2>/dev/null | cut -d '"' -f 2  2>/dev/null | grep http 2>/dev/null | cut -d '/' -f3 2>/dev/null | sed 's/#results//g' 2>/dev/null | sort -u 2>/dev/null) > output.txt

printf "\n [*] Searching  bufferover.run [*]\n"

(curl -s https://dns.bufferover.run/dns?q=.$TARGET 2>/dev/null |jq -r .FDNS_A[] 2>/dev/null |cut -d',' -f2 2>/dev/null|sort -u 2>/dev/null ) >> output.txt

printf "\n [*] Searching riddler.io [*]\n"

(curl -s "https://riddler.io/search/exportcsv?q=pld:${TARGET}" 2>/dev/null| grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null| sort -u 2>/dev/null ) >> output.txt

printf "\n [*] Searching www.virustotal.com [*]\n"

(curl -s "https://www.virustotal.com/ui/domains/${TARGET}/subdomains?limit=40" 2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

printf "\n [*] Searching certspotter.com [*]\n"

(curl -s "https://certspotter.com/api/v1/issuances?domain=${TARGET}&include_subdomains=true&expand=dns_names"  2>/dev/null | jq .[].dns_names 2>/dev/null | tr -d '[]"\n ' 2>/dev/null | tr ',' '\n'2>/dev/null  ) >> output.txt

printf "\n [*] Searching jldc.me [*]\n"

(curl -s "https://jldc.me/anubis/subdomains/${TARGET}"  2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+"  2>/dev/null | sort -u  2>/dev/null   ) >> output.txt


printf "\n [*] Searching sonar.omnisint.io [*]\n"

(curl --silent https://sonar.omnisint.io/subdomains/$TARGET 2>/dev/null | grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

printf "\n [*] Searching synapsint.com [*]\n"

(curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2F$TARGET" 2>/dev/null| grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt

printf "\n [*] Searching crt.sh [*]\n"

(curl -s "https://crt.sh/?q=%25.$TARGET&output=json" 2>/dev/null| jq -r '.[].name_value' 2>/dev/null| sed 's/\*\.//g' 2>/dev/null| sort -u 2>/dev/null ) >> output.txt


printf "\n [*] Sorting the output [*]\n"

cat output.txt > temp.txt
cat temp.txt | sort -u > output.txt
rm -rf temp.txt 
mv output.txt $TARGET.txt

printf "\n [+] Output saved to $TARGET.txt [+]\n"

通常,在寻找子域名时,可以查看是否能够子域名接管。如果是存储桶得子域,那么我们可以检测其权限。